Hiscox, the international specialist insurer, today released The Hiscox Cyber Readiness Report 2019™, which gauges how prepared businesses are to combat cyber attacks. The annual report surveyed nearly 5,400 professionals from the US, UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cybersecurity and found that the cost and frequency of attacks are on the rise. Sixty-one percent of firms experienced a cyber attack in the past year, compared to 45% in 2018. The median cost for losses associated with cyber incidents also soared from $229,000 to $369,000.
To determine the respondents’ preparedness to handle cyber attacks, Hiscox evaluated the firms’ strategy (oversight and resourcing) and execution (technology and process) and ranked them as a ‘cyber novice,’ ‘cyber intermediate’ or ‘cyber expert.’
Key findings specific to the more than 1,000 US companies surveyed include:
- Leaky bucket budgets: Seventy-two percent of firms plan to increase spending on cyber security in the coming year. However, increased spend without proper infrastructure and training is the equivalent of pouring water into a leaky bucket. Only 11% of respondents cited increased spending on employee training and culture changes as a result of a cyber security incident, both of which are crucial components of a company’s defense against cyber risks.
- Attacks are on the rise: Fifty-three percent of respondents reported an attack in the past 12 months, compared to 38% last year. Many companies do not take proper action following an attack, with 45% of companies reporting experiencing three or more attacks in the past year. Cyber incidents come with a large price tag. The mean cost of cyber incidents in the US was $119,000.
- Fewer large companies are ‘cyber experts:’ While it would seem they have the resources to be prepared, only 11% of large and enterprise firms ranked as ‘cyber experts,’ compared to 26% of large and enterprise firms last year.
- Unexpected risks in the supply chain: Fifty-six percent of firms experienced cyber-related issues in their supply chain in the past year. However, only 7% of respondents cited increased evaluation of the supply chain as a result of a cyber security incident occurring in the past 12 months.
- Lack of insurance heightens the stakes: Twenty-seven percent of respondents have no plans to purchase cyber insurance, and 5% are unsure of what cyber insurance is.
“The message that cyber risk is a real threat to businesses of all sizes is sinking in. Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defense,” said Meghan Hannes, Cyber Product Head for Hiscox in the US. “Many believe that increasing cyber-related spending fully protects a business, but it isn’t enough. Businesses must take a holistic approach, ensuring they can properly maximize their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defense.”
Creating a Line of Defense: Cybersecurity Best Practices
Based off Hiscox’s proprietary module, companies in the seven countries surveyed had to achieve a minimum score of 4.0/5 in strategy and execution to qualify as a ‘cyber expert.’ The study identified ‘cyber expert’ best practices that ‘cyber novices’ lack, and, based on the global findings, these include:
- Securing executive buy-in: Only 54% of ‘cyber novices’ globally believe cybersecurity is a top priority for their firm’s executive management/board as compared to 85% percent of ‘cyber experts.’
- Creating a well-defined strategy with input from multiple stakeholders and determining a formal and adequate cyber budget: On average, ‘cyber experts’ globally devote 14.7% of their IT budget to cybersecurity, but ‘cyber novices” cybersecurity spending accounts for just 8.7% of their overall IT budget.
- Dedicating a cyber head tasked with overseeing the strategy, supported by a team if necessary: Globally, 51% of ‘cyber experts’ have a dedicated leader who oversees cybersecurity, compared to just 39% of ‘cyber novices.’
- Regularly evaluating the supply chain: Only 18% of ‘cyber novices’ strongly feel that they have good visibility into their suppliers’ security arrangements, compared to 34% of ‘cyber experts’ globally.
- Defining a process that spans from when a cyber incident is detected to when it has been mitigated, and making sure employees are ready to learn, respond and make changes to this process if an incident occurs: Eighty-five percent of all ‘cyber experts’ have a clearly defined cybersecurity strategy, compared to just 53% of ‘cyber novices.’
- Conducting proactive testing through simulated attacks and regular phishing experiments: Forty-one percent of ‘cyber novices’ globally have conducted phishing experiments to understand employee behavior and readiness for attacks, compared to 69% of ‘cyber experts.’
- Insuring your business with a cyber policy: Globally, 59% of ‘cyber experts’ currently have already adopted cyber insurance, compared to only 37% of ‘cyber novices.’
Hiscox USA provides a variety of specialty risk solutions including a broad spectrum of professional errors & omissions, general liability, cyber and data security, media liability, management liability, crime, kidnap & ransom, terrorism and commercial property insurance products.
Hiscox offers an online interactive suite of cyber security training modules included as part of its Cyber and data insurance policies that helps customers prepare their employees and reduce the risk of a cyber incident occurring.